feat: MVP phase 1 complete

2026-03-25 02:41:17 -05:00
parent 81ae5c6c7b
commit bfa03e6fbf
32 changed files with 3503 additions and 39 deletions
--- a/deploy/arcline-portal.service
+++ b/deploy/arcline-portal.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Arcline Portal — customer dashboard
+After=network.target
+
+[Service]
+Type=simple
+User=arcline
+Group=arcline
+WorkingDirectory=/opt/arcline-portal
+EnvironmentFile=/opt/arcline-portal/.env
+ExecStart=/opt/arcline-portal/arcline-portal
+Restart=on-failure
+RestartSec=5s
+
+# Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/opt/arcline-portal
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/nginx-portal.conf
+++ b/deploy/nginx-portal.conf
@@ -0,0 +1,29 @@
+server {
+    listen 80;
+    server_name portal.arclineit.com;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name portal.arclineit.com;
+
+    ssl_certificate     /etc/ssl/arclineit.com/fullchain.pem;
+    ssl_certificate_key /etc/ssl/arclineit.com/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+    add_header X-Frame-Options DENY always;
+    add_header X-Content-Type-Options nosniff always;
+
+    location / {
+        proxy_pass         http://127.0.0.1:8082;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_read_timeout 30s;
+    }
+}